Looking for a Windows utility to forensically copy files


tilleyd

New Member
Feb 10, 2011
21
0
#1
Hello,

I'm familiar with Pinpoint's Safecopy, but what are some other Widows-based file copiers that can forensically copy files and provide file copy verification via hash comparisons?

Please advise, thanks!
 

bshavers

New Member
TRUSTED Contributor
Dec 2, 2008
29
Ratings
20
3
Seattle, WA
www.dfir.training
Facebook
https://www.facebook.com/dfirtools/
Twitter
https://twitter.com/DFIRTraining
#2
My answer to your question has been removed for some reason...
 

cybercop

Administrator
Oct 31, 2005
1,660
0
#3
Due to the way windows works, you will have to use a hardware write blocker to make a forensically sound copy. Windows automatically mounts storage devices with read write and as soon as it mounts it, changes are made. Therefore, you must use a hardware write blocker. As to copying once you are using a write blocker to protect the evidence drive, you can use just about anything to copy and hash the file.

As far as the other response being removed, I would guess it was a link to an external site which isn't allowed.
 

bshavers

New Member
TRUSTED Contributor
Dec 2, 2008
29
Ratings
20
3
Seattle, WA
www.dfir.training
Facebook
https://www.facebook.com/dfirtools/
Twitter
https://twitter.com/DFIRTraining
#4
Yep, I had a link in my reply.

upcopy from maresware (free) can do what you need (www dmares dot com)
ftk imager from accessdata (free) can make forensic copies of the files and put them in a container file, and hash verify (www accessdata dot com)

x-way forensics and encase (not free) can make forensic copies of the files, put them in a container file, and hash verify (x-ways dot net and guidancesoftware dot com).

if you only need to copy files and verify the hashes match, you don't need write protection. if you want a bit-for-bit copy of the drive or you want the most pristine copy of the files, then write protection may be in order.

you can boot the system to a forensic os (linux forensics or winfe) and copy the file that way, as the drive would be write protected.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu